1 / 25

The Security Rule

HIPAA Week 3. The Security Rule. The Security Rule (SR) deals with ONLY electronic Protected Health Information ( ePHI ), which is essentially a subset of what the Privacy Rule encompasses (includes oral, hard copy and electronic PHI). Security Rule.

audra
Download Presentation

The Security Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Week 3 The Security Rule

  2. The Security Rule (SR) deals with ONLY electronic Protected Health Information (ePHI), which is essentially a subset of what the Privacy Rule encompasses(includes oral, hard copy and electronic PHI) Security Rule

  3. To ensure reasonable and appropriate administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information. Goal of Security Rule

  4. Both external and internal threats Prevention of denial of service Theft of private information Integrity of information Focus of Security Rule

  5. Security protections are “reasonable and appropriate” Foundation

  6. Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards The Standards…

  7. Ensure: Confidentiality (only the right people see it) Integrity (the information is what it is supposed to be – it hasn’t been changed) Availability (the right people can see it when needed) General Requirementsof the Standards…

  8. 1. Administrative Procedures 2. Physical Safeguards 3. Technical data security services 4. Technical security mechanisms Rule has 4 categories

  9. Administrative Procedures: 12 Requirements • 1. Certification • 2. Chain of Trust Agreements • 3.Contingency Plan • 4. Mechanism for processing records • 5. Information Access Control • 6. Internal Audit • 7. Personnel Security • 8. Security configuration Management • 9. Security Incident Procedures • 10. Security Management • 11. Termination Procedures • 12. Training

  10. 1. Assigned Security Responsibility 2. Media Controls 3. Physical Access Controls 4. Policy on Workstation Use 5. Secure Workstation Location 6. Security Awareness Training Physical Safeguards: 6 Requirements

  11. 1. Access Control 2. Audit Controls 3. Authorization Control 4. Data Authentication 5. Entity Authentication Technical Data Security Services: 5 Requirements

  12. 1. Protections for health information transmitted over open networks via: • Integrity controls, and • Message authentication, and • Access controls OR encryption Technical Security Mechanism: 1 Requirement

  13. The new Privacy requirements apply if all of the following are present in a Privacy Event: • •There is a “Breach.” The Rule defines “Breach” to mean (subject to certain exceptions) the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”). • •The PHI is “unsecured.” The Rule defines “unsecured protected health information” to mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS guidance. • •The Breach “compromises the security of the PHI.” Under the Rule, this occurs when there is a significant risk of financial, reputational, or other harm to the individual who’s PHI has been compromised. New rules for Breaches

  14. Prior to HITECH Act, no mandated reporting to outside authorities Since HITECH: notifications are mandatory for breach of unsecured ePHI Notification of Breaches

  15. OCR received 7,116 complaints in 2009, a sharp decline from the 8,526 received in 2008 and 8,174 received in 2007. In 2006, OCR received 7,334 complaints. Breaches

  16. Incidental disclosure of individually identifiable health information Lack of adequate safeguards Not providing a copy of records to patients Disclosure of more than necessary information Failure to give notice of privacy practice Primary reasons for the violations

  17. Notification to Individuals. • A covered entity must send the required notification to each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the Breach, without unreasonable delay. • Must be in plain reasonable language • If patient is deceased, must notify next of kin. Notification Guidelines:

  18. Notification to Media. If a covered entity discovers a Breach affecting 500 or more residents of a state or jurisdiction, it must provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay Notification Guidelines:

  19. Notification to HHS. If 500 or more individuals are involved in the Breach, then the covered entity must notify HHS concurrently with the individual notifications. • HHS (through the HHS enforcement agency; The Office of Civil Rights or ‘OCR’) requires annual notification for Breaches involving less than 500 individuals per Event annually Notification Guidelines:

  20. Enforcement and Penalties begins February 2010 Projected to be increased enforcement from OCR In the past CMS (Centers for Medicare and Medicaid Services) has enforced HIPAA Security Rules while OCR has handled Privacy Rule compliance. Enforcement

  21. Now: Privacy and Security enforcement will be combined under one agency (OCR). This will eliminate duplication of work and increase efficiency according to the HHS Secretary. Another significant enforcement change is that under HITECH State Attorney Generals can now bring actions for Privacy violations in federal court. Enforcemnetcon’t

  22. The “Stimulus Act” requires that within the next three years regulations are passed that will allow individual victims of a HIPAA violation to receive a percentage of any monetary penalty collected from the offense. •   This monetary incentive could significantly increase the number of HIPAA complaints brought by individuals. New rule

  23. Implement the necessary safeguards • Perform a risk analysis • Risk management • Ensure policies are in place Stay attuned to deadlines and changes in the law! implementation

  24. Development and documentation of policies and procedures Designation of a privacy official Identifying and contracting with business associates Development of patient consent and authorization forms Distributing and updating notice of privacy practices and associated procedures Development and distribution of patient notice Capturing, tracking, and maintaining history of data disclosures Tracking and resolving individual complaint Training workforce members who have access to patient identifiable information Altering the oral communication culture of the organization Key Impacts of HIPAA" include

  25. McLendon, K. (nd). HIPAA Privacy Summary, http://www.hixperts.com/HIX%20HIPAA%20Summary%20(01%2026%2010).pdf Graham, D., & Stubbs, (2009). Significant HIPAA Modifications in the American Recovery and Reinvestment Act of 2009. Available from: http://www.dgslaw.com/documents/articles/HIPAA_Stimulus09_893166.html Leyva, D, & Leyva, C.(nd). HITECH Survival Guide. Available from: http://www.hipaasurvivalguide.com/hipaa-survival-guide-16.php References:

More Related